SilentBob: Team TNT Malware Campaign Targeting Misconfigured Servers

Security experts at Aqua Security have warned that the TeamTNT gang may be developing a big new campaign against the cloud called "SilentBob". Such suspicions developed after analysts identified hackers targeting misconfigured servers.

Aqua Security started a case investigation after noticing an attack on one of its lures. Subsequently, 4 images of malicious containers were identified. However, given that several elements of the code have gone unused and there appears to be some manual testing now occurring, the researchers argued that the campaign has not yet fully begun.

According to the experts, the infrastructure is in the early phases of testing and deployment, and generally corresponds to an aggressive cloud worm designed to run on JupyterLab and Docker public APIs to deploy Tsunami malware, collect passwords, seize resources, and further infect the worm.

TeamTNT is a cybercriminal group well known for dangerous and destructive attacks on cloud systems, primarily Docker and Kubernetes environments. This group is really specialized in cryptomining.

Although TeamTNT went out of business at the end of 2021, Aqua Security attributed the current campaign to TeamTNT based on the use of the Tsunami virus, the dAPIpwn functionality, and a C2 server that responds in German.

Detected group activity begins when an attacker detects a misconfigured Docker API or JupyterLab server and deploys a container or interacts with the Command Line Interface ( CLI ) to scan for other victims.

Such a method is designed to transmit malware to more servers. The secondary payload includes a cryptominer and a backdoor, with the backdoor exploiting the Tsunami virus as an attack weapon. Aqua Security has produced a set of tips to help enterprises mitigate the danger.